System Hardening
Last updated
Last updated
AppArmor is a layer of security that sits between applications and our system filesystem, proceeses and networks.
We can do profiles for the applications we wanna apply AppArmor on.
We can create profiles for firefox, kubernetes, kubelet etc...
We can run aa-genprof curl to generate a profile for curl, then we can check if its added by going to /etc/apparmor.d/ or running aa-status.
We can use aa-logprof which checks the logs and update our profil according to the logs.
We can apply an apparmor profile definition using apparmor_parser --add <path-of-profile> and we got it from
We have a pre-created profile called docker-nginx so we will apply it, this profile restricts some stuff as shown below and we can confirm its added by running aa-status
Then to test our new profile we can create an nginx container that uses our profile docker run --security-opt apparmor=docker-nginx -d nginx and then docker exec -it <container-id> sh.
The name of the profile isn't the name of the file, but its the name specified inside the file.
Prior to v1.30, this was created using annotations.
We have a pre-created seccomp configuration, we will add it to /var/lib/kubelet/seccomp/profiles/default.json on the worker node.
Now, we create a pod and add the profile path.
We can exec and it works!
Now, we will remove write syscall from the seccomp default.json profile and see what happens.
It is not working as the container can't write and create the nginx service!
Running netstat -plnt | grep 22 or lsof -i :22 to check for ssh listening connections and open ports.